From 6d5299e7da6007ce135049f9310c870b47a66252 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Kugland?= Date: Fri, 25 Nov 2022 16:47:28 -0300 Subject: [PATCH] More secure Dockerfile * Drop privileges and run as `nobody:nobody`. * Chroot into `/var/www/htdocs`. * Compile with hardening options. --- Dockerfile | 27 ++++++++++++++++++++++++--- group | 1 + passwd | 1 + 3 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 group create mode 100644 passwd diff --git a/Dockerfile b/Dockerfile index 278ef0e..e51b77c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,14 +3,35 @@ FROM alpine AS build RUN apk add --no-cache build-base WORKDIR /src COPY . . + +# Hardening GCC opts taken from these sources: +# https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ +# https://security.stackexchange.com/q/24444/204684 +ENV CFLAGS=" \ + -static \ + -O2 \ + -flto \ + -D_FORTIFY_SOURCE=2 \ + -fstack-clash-protection \ + -fstack-protector-strong \ + -pipe \ + -Wall \ + -Werror=format-security \ + -Werror=implicit-function-declaration \ + -Wl,-z,defs \ + -Wl,-z,now \ + -Wl,-z,relro \ + -Wl,-z,noexecstack \ +" RUN make darkhttpd-static \ && strip darkhttpd-static # Just the static binary FROM scratch WORKDIR /var/www/htdocs -COPY --from=build /src/darkhttpd-static /darkhttpd +COPY --from=build --chown=0:0 /src/darkhttpd-static /darkhttpd +COPY --chown=0:0 passwd /etc/passwd +COPY --chown=0:0 group /etc/group EXPOSE 80 ENTRYPOINT ["/darkhttpd"] -CMD ["."] - +CMD [".", "--chroot", "--uid", "nobody", "--gid", "nobody"] diff --git a/group b/group new file mode 100644 index 0000000..7c9e9f3 --- /dev/null +++ b/group @@ -0,0 +1 @@ +nobody:x:65534: diff --git a/passwd b/passwd new file mode 100644 index 0000000..66251b6 --- /dev/null +++ b/passwd @@ -0,0 +1 @@ +nobody:x:65534:65534:nobody:/var/www/htdocs:/darkhttpd